Signed data security law will take effect January 2020

The legislation will go into effect Jan. 1, 2020

Limited exemption for licensees with fewer than 20 employees

Includes safe harbor for entities in compliance with New York cyber security regulation

Gov. Chris Sununu signed an insurance data security law based on the National Association of Insurance Commissioners’ model legislation, following the recommendation of the New Hampshire Insurance Department. Sununu signed the law earlier this month and it will go into effect Jan. 1, 2020.

The law sets out requirements for licensees in New Hampshire to follow when a cyber security event occurs and what steps must be taken in order to minimize the chances of a cyber security event occurring. All licensees must follow the legal procedures in response to a cyberevent. The procedures include prompt notice to the insurance commissioner should a cyber security event affect the nonpublic data of a New Hampshire resident if the licensee is an insurer domiciled in New Hampshire, or a resident insurance producer in New Hampshire. For nonresident producers and insurers domiciled outside the state, notice will be required if a cyber security event affects 250 or more New Hampshire residents.

The law requires a risk assessment and the implementation of an information security program. However, some licensees may be exempt from the requirement. Licensees with fewer than 20 employees—including independent contractors with access to nonpublic information—will not be required to comply with that section of the law. All licensees who do not qualify for the limited exemption must have their information security programs in place by Jan. 1, 2020. The law requires that licensees develop a program to reflect the findings of their risk assessment, but recommends additional security measures. Only insurers will need to file certification with the NHID.

The law includes a safe harbor for any licensee who is compliant with New York’s cyber security regulation (23 NYCRR 500). To comply under the safe harbor, a licensee must submit a written statement to the New Hampshire insurance commissioner certifying compliance with New York state’s regulation. Even licensees who comply with the data security legislation through the safe harbor must comply with the New Hampshire requirements for investigating a cyber security event and commissioner notification requirements.

Unlike New York, the New Hampshire law and the NAIC model legislation exclude licensees as third-party service providers. The New Hampshire law has a more limited definition of a cyber security event, which focuses on actual security breaches, not attempted breaches.

PIANH will issue more information on New Hampshire’s insurance data security law, including resources and classes, in the coming months.